鑫隆园艺 發表於 2012-10-25 15:04:53

SSH蜜罐:kippo的详细介绍

蜜网是指另外采用了技术的蜜罐,从而以合理方式记录下黑客的行动,同时尽量减小或排除对因特网上其它系统造成的风险。建立在反向防火墙后面的蜜罐就是一个例子。防火墙的目的不是防止入站连接,而是防止蜜罐建立出站连接。不过,虽然这种方法使蜜罐不会破坏其它系统,但同时很容易被黑客发现。<br />数据收集是设置蜜罐的另一项技术挑战。蜜罐监控者只要记录下进出系统的每个数据包,就能够对黑客的所作所为一清二楚。蜜罐本身上面的日志文件也是很好的数据来源。但日志文件很容易被攻击者删除,所以通常的办法就是让蜜罐向在同一网络上但防御机制较完善的远程系统日志服务器发送日志备份。(务必同时监控日志服务器。如果攻击者用新手法闯入了服务器,那么蜜罐无疑会证明其价值。)<br />蜜罐系统的优点之一就是它们大大减少了所要分析的数据。对于通常的网站或邮件服务器,攻击流量通常会被合法流量所淹没。而蜜罐进出的数据大部分是攻击流量。因而,浏览数据、查明攻击者的实际行为也就容易多了。<br />自1999年启动以来,蜜网计划已经收集到了大量信息。部分发现结果包括:攻击率在过去一年增加了一倍;攻击者越来越多地使用能够堵住漏洞的自动点击工具(如果发现新漏洞,工具很容易更新);尽管虚张声势,但很少有黑客采用新的攻击手法。<br />打开SERVER<br />安装<br />root@ubuntu:~# mkdir kippo <br />root@ubuntu:~# apt-get install python-dev openssl python-openssl python-pyasn1 python-twisted python-mysqldb<br />获得源代码<br />root@ubuntu:~# cd kippo/<br />root@ubuntu:~/kippo# svn checkout http://kippo.googlecode.com/svn/trunk/ .<br />添加一个独立的用户组给KIPPO<br />root@ubuntu:~/kippo# useradd -s /bin/bash -d /home/kippo -m kippo<br />添加一个独立的MYSQL用户给KIPPO<br />root@ubuntu:~/kippo# mysql -u root -p<br />Enter password: <br />Welcome to the MySQL monitor.&nbsp; Commands end with ; or \g.<br />Your MySQL connection id is 34<br />Server version: 5.1.61-0ubuntu0.10.10.1-log (Ubuntu)<br />Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.<br />Oracle is a registered trademark of Oracle Corporation and/or its<br />affiliates. Other names may be trademarks of their respective<br />owners.<br />Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.<br />mysql&gt; CREATE DATABASE kippo; <br />Query OK, 1 row affected (0.00 sec)<br />mysql&gt; GRANT ALL ON kippo.* to 'kippo'@'localhost' identified by '123456';<br />Query OK, 0 rows affected (0.00 sec)<br />mysql&gt; show databases;<br />+--------------------+<br />| Database&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />+--------------------+<br />| information_schema |<br />| kippo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />| mysql&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />| pentest&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />+--------------------+<br />4 rows in set (0.01 sec)<br />mysql&gt;<br />帐号和数据库一样 密码123456<br />导入默认数据库 #本文地址http://fuzzexp.org/ssh_honeypot_kippo.html<br />root@ubuntu:~/kippo# cd doc/sql/<br />root@ubuntu:~/kippo/doc/sql# ls<br />mysql.sql&nbsp; update2.sql&nbsp; update3.sql&nbsp; update4.sql&nbsp; update5.sql&nbsp; update6.sql<br />root@ubuntu:~/kippo/doc/sql# mysql -ukippo -p123456 kippo &lt; mysql.sql<br />编辑配置<br />kippo.cfg.dist<br />root@ubuntu:~/kippo# mv kippo.cfg.dist kippo.cfg<br />编辑他 我的如下:<br />root@ubuntu:~/kippo# cat kippo.cfg <br />#<br /># Kippo configuration file (kippo.cfg)<br />#<br /><br /># IP addresses to listen for incoming SSH connections.<br />#<br /># (default: 0.0.0.0) = any address<br />ssh_addr = 0.0.0.0<br /># Port to listen for incoming SSH connections.<br />#<br /># (default: 2222)<br />ssh_port = 2222<br /># Hostname for the honeypot. Displayed by the shell prompt of the virtual<br /># environment.<br />#<br /># (default: sales)<br />hostname = ubuntu<br /># Directory where to save log files in.<br />#http://fuzzexp.org/?p=5571<br /># (default: log)<br />log_path = log<br /># Directory where to save downloaded (malware) files in.<br />#<br /># (default: dl)<br />download_path = dl<br /># Directory where virtual file contents are kept in.<br />#<br /># This is only used by commands like 'cat' to display the contents of files.<br /># Adding files here is not enough for them to appear in the honeypot - the<br /># actual virtual filesystem is kept in filesystem_file (see below)<br />#<br /># (default: honeyfs)<br />contents_path = honeyfs<br /># File in the python pickle format containing the virtual filesystem. <br />#<br /># This includes the filenames, paths, permissions for the whole filesystem,<br /># but not the file contents. This is created by the createfs.py utility from<br /># a real template linux installation.<br />#<br /># (default: fs.pickle)<br />filesystem_file = fs.pickle<br /># Directory for miscellaneous data files, such as the password database.<br />#<br /># (default: data_path)<br />data_path = data<br /># Directory for creating simple commands that only output text.<br />#<br /># The command must be placed under this directory with the proper path, such<br /># as:<br />#&nbsp;&nbsp; txtcmds/usr/bin/vi<br /># The contents of the file will be the output of the command when run inside<br /># the honeypot.<br />#<br /># In addition to this, the file must exist in the virtual<br /># filesystem {filesystem_file}<br /># (default: txtcmds)<br />txtcmds_path = txtcmds<br /># Public and private SSH key files. If these don't exist, they are created<br /># automatically.<br />#<br /># (defaults: public.key and private.key)<br />public_key = public.key<br />private_key = private.key<br /># Initial root password. NO LONGER USED!<br /># Instead, see {data_path}/userdb.txt<br />password = 123456<br /># IP address to bind to when opening outgoing connections. Used exclusively by<br /># the wget command.<br />#<br /># (default: not specified)<br />out_addr = 0.0.0.0<br /># Sensor name use to identify this honeypot instance. Used by the database<br /># logging modules such as mysql.<br />#<br /># If not specified, the logging modules will instead use the IP address of the<br /># connection as the sensor name.<br />#<br /># (default: not specified)<br />#sensor_name=myhostname<br /># Fake address displayed as the address of the incoming connection.<br /># This doesn't affect logging, and is only used by honeypot commands such as<br /># 'w' and 'last'<br />#<br /># If not specified, the actual IP address is displayed instead (default<br /># behaviour).<br />#<br /># (default: not specified)<br />#fake_addr = 192.168.66.254<br /># Banner file to be displayed before the first login attempt.<br />#<br /># (default: not specified)<br />#banner_file =<br /># Session management interface.<br />#<br /># This is a telnet based service that can be used to interact with active<br /># sessions. Disabled by default.<br />#<br /># (default: false)<br />interact_enabled = false<br /># (default: 5123)<br />interact_port = 5123<br /># MySQL logging module<br />#<br /># Database structure for this module is supplied in doc/sql/mysql.sql<br />#<br /># To enable this module, remove the comments below, including the<br /># line.<br /><br />host = localhost<br />database = kippo<br />username = kippo<br />password = 123456<br /># XMPP Logging<br />#<br /># Log to an xmpp server.<br /># For a detailed explanation on how this works, see: <br />#<br /># To enable this module, remove the comments below, including the<br /># line.<br />#<br />#server = sensors.carnivore.it<br />#user = anonymous@sensors.carnivore.it<br />#password = anonymous<br />#muc = dionaea.sensors.carnivore.it<br />#signal_createsession = kippo-events<br />#signal_connectionlost = kippo-events<br />#signal_loginfailed = kippo-events<br />#signal_loginsucceeded = kippo-events<br />#signal_command = kippo-events<br />#signal_clientversion = kippo-events<br />#debug=true<br />root@ubuntu:~/kippo#<br />安装监听工具<br />root@ubuntu:~/kippo# apt-get install authbind<br />配置<br />root@ubuntu:~/kippo# chown kippo:kippo /etc/authbind/byport/22 <br />root@ubuntu:~/kippo# chmod 777 /etc/authbind/byport/22<br />root@ubuntu:~/kippo# chown -R kippo:kippo /root/kippo/<br />创建一个启动脚本<br />root@ubuntu:~/kippo# echo &quot;twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid&quot; &gt; 1.sh<br />root@ubuntu:~/kippo# cat 1.sh <br />twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid<br />root@ubuntu:~/kippo#<br />移动工具位置<br />root@ubuntu:~# mv kippo/ /opt/<br />root@ubuntu:~# cd /opt/<br />root@ubuntu:/opt# ls<br />kippo<br />root@ubuntu:/opt# cd kippo/<br />更改下KIPPO用户密码 切换到KIPPO<br />root@ubuntu:~/kippo# passwd kippo<br />Enter new UNIX password: <br />Retype new UNIX password: <br />passwd: password updated successfully<br />root@ubuntu:~/kippo# su kippo<br />kippo@ubuntu:/root/kippo$ id<br />uid=1002(kippo) gid=1002(kippo) groups=1002(kippo)<br />kippo@ubuntu:/root/kippo$<br />启动<br /><br />&nbsp;<img alt="" src="https://img.jbzj.com/file_images/article/201210/2012102514551216.png" /><br /><br />&nbsp;kippo@ubuntu:/opt/kippo$ pwd<br />/opt/kippo<br />kippo@ubuntu:/opt/kippo$ ./start.sh <br />Starting kippo in background...Loading dblog engine: mysql<br />Generating RSA keypair...<br />done.<br />查看监听<br /><img alt="" src="https://img.jbzj.com/file_images/article/201210/2012102514551217.png" />&nbsp;<br /><br />kippo@ubuntu:/opt/kippo$ netstat -antp<br />(Not all processes could be identified, non-owned process info<br />&nbsp;will not be shown, you would have to be root to see it all.)<br />Active Internet connections (servers and established)<br />Proto Recv-Q Send-Q Local Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Foreign Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; State&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PID/Program name<br />tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 127.0.0.1:3306&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0:*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 127.0.0.1:587&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0:*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 0.0.0.0:2222&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0:*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4615/python&nbsp;&nbsp;&nbsp;&nbsp; <br />tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 0.0.0.0:80&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0:*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 0.0.0.0:22&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0:*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 127.0.0.1:25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.0.0.0:*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 192.168.71.130:22&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.71.129:44874&nbsp;&nbsp;&nbsp; ESTABLISHED -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />tcp6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 :::22&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :::*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LISTEN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />kippo@ubuntu:/opt/kippo$<br />tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 4615/python <br />查找进程 <br />kippo@ubuntu:/opt/kippo$ ps -ef | grep 4615<br />kippo&nbsp;&nbsp;&nbsp;&nbsp; 4615&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp; 0 13:47 ?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 00:00:00 /usr/bin/python /usr/bin/twistd -y kippo.tac -l log/kippo.log --pidfile kippo.pid<br />kippo&nbsp;&nbsp;&nbsp;&nbsp; 4626&nbsp; 4588&nbsp; 0 13:48 pts/0&nbsp;&nbsp;&nbsp; 00:00:00 grep --color=auto 4615<br />kippo@ubuntu:/opt/kippo$<br />扫描下UB kippo的配置文件端口定义为2222<br />root@Dis9Team:~# nmap -sV 192.168.71.130 -p 2222<br />Starting Nmap 5.51 ( http://nmap.org ) at 2012-10-11 22:51 PDT<br />Nmap scan report for 192.168.71.130<br />Host is up (0.00024s latency).<br />PORT&nbsp;&nbsp;&nbsp;&nbsp; STATE SERVICE VERSION<br />2222/tcp open&nbsp; ssh&nbsp;&nbsp;&nbsp;&nbsp; OpenSSH 5.1p1 Debian 5 (protocol 2.0)<br />MAC Address: 00:0C:29:9E:3F:14 (VMware)<br />Service Info: OS: Linux<br />Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .<br />Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds<br />root@Dis9Team:~#<br />OPENSSH服务出现了.<br />kippo的配置文件的密码定义为123456 测试一下 #本文地址http://fuzzexp.org/ssh_honeypot_kippo.html<br />root@Dis9Team:~# ssh root@192.168.71.130 -p2222<br />The authenticity of host ':2222 (:2222)' can't be established.<br />RSA key fingerprint is d9:f0:74:99:58:5e:32:74:a1:7b:27:78:2e:b1:83:a8.<br />Are you sure you want to continue connecting (yes/no)? yes<br />Warning: Permanently added ':2222' (RSA) to the list of known hosts.<br />Password:<br />Password:<br />ubuntu:~# id<br />uid=0(root) gid=0(root) groups=0(root)<br />ubuntu:~#<br />邪恶的操作<br />ubuntu:~# ls /<br />sys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mnt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; media&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vmlinuz&nbsp;&nbsp;&nbsp; opt&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cdrom&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; selinux&nbsp;&nbsp;&nbsp; tmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; proc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sbin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br />etc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dev&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; srv&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; initrd.img lib&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; home&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; var&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; usr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; boot&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lost+found <br />ubuntu:~# ls -la /<br />drwxr-xr-x 1 root root&nbsp; 4096 2012-10-12 13:53 .<br />drwxr-xr-x 1 root root&nbsp; 4096 2012-10-12 13:53 ..<br />drwxr-xr-x 1 root root&nbsp;&nbsp;&nbsp;&nbsp; 0 2009-11-20 16:19 sys<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:42 bin<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:08 mnt<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:08 media<br />lrwxrwxrwx 1 root root&nbsp;&nbsp;&nbsp; 25 2009-11-06 19:16 vmlinuz -&gt; /boot/vmlinuz-2.6.26-2-686<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:09 opt<br />lrwxrwxrwx 1 root root&nbsp;&nbsp;&nbsp; 11 2009-11-06 19:08 cdrom -&gt; /media/cdrom0<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:08 selinux<br />drwxrwxrwx 1 root root&nbsp; 4096 2009-11-20 16:19 tmp<br />dr-xr-xr-x 1 root root&nbsp;&nbsp;&nbsp;&nbsp; 0 2009-11-20 16:19 proc<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:41 sbin<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-20 16:20 etc<br />drwxr-xr-x 1 root root&nbsp; 3200 2009-11-20 16:20 dev<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:09 srv<br />lrwxrwxrwx 1 root root&nbsp;&nbsp;&nbsp; 28 2009-11-06 19:16 initrd.img -&gt; /boot/initrd.img-2.6.26-2-686<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:46 lib<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:22 home<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:09 var<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:46 usr<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:39 boot<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-20 17:08 root<br />drwx------ 1 root root 16384 2009-11-06 19:08 lost+found<br />ubuntu:~#<br />删除全部文件<br />ubuntu:~# rm -rf /<br />ubuntu:~# ls -ls /<br />drwxr-xr-x 1 root root&nbsp; 4096 2012-10-12 13:53 .<br />drwxr-xr-x 1 root root&nbsp; 4096 2012-10-12 13:53 ..<br />drwxr-xr-x 1 root root&nbsp;&nbsp;&nbsp;&nbsp; 0 2009-11-20 16:19 sys<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:42 bin<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:08 mnt<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:08 media<br />lrwxrwxrwx 1 root root&nbsp;&nbsp;&nbsp; 25 2009-11-06 19:16 vmlinuz -&gt; /boot/vmlinuz-2.6.26-2-686<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:09 opt<br />lrwxrwxrwx 1 root root&nbsp;&nbsp;&nbsp; 11 2009-11-06 19:08 cdrom -&gt; /media/cdrom0<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:08 selinux<br />drwxrwxrwx 1 root root&nbsp; 4096 2009-11-20 16:19 tmp<br />dr-xr-xr-x 1 root root&nbsp;&nbsp;&nbsp;&nbsp; 0 2009-11-20 16:19 proc<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:41 sbin<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-20 16:20 etc<br />drwxr-xr-x 1 root root&nbsp; 3200 2009-11-20 16:20 dev<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:09 srv<br />lrwxrwxrwx 1 root root&nbsp;&nbsp;&nbsp; 28 2009-11-06 19:16 initrd.img -&gt; /boot/initrd.img-2.6.26-2-686<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:46 lib<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:22 home<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-06 19:09 var<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:46 usr<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-08 23:39 boot<br />drwxr-xr-x 1 root root&nbsp; 4096 2009-11-20 17:08 root<br />drwx------ 1 root root 16384 2009-11-06 19:08 lost+found<br />ubuntu:~#<br />删除不了 读下默认文件<br />ubuntu:~# cat /etc/shadow<br />cat: /etc/shadow: No such file or directory<br />ubuntu:~# cat /etc/shadow-<br />cat: /etc/shadow-: No such file or directory<br />ubuntu:~# cat /etc/passwd<br />root:x:0:0:root:/root:/bin/bash<br />daemon:x:1:1:daemon:/usr/sbin:/bin/sh<br />bin:x:2:2:bin:/bin:/bin/sh<br />sys:x:3:3:sys:/dev:/bin/sh<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/bin/sh<br />man:x:6:12:man:/var/cache/man:/bin/sh<br />lp:x:7:7:lp:/var/spool/lpd:/bin/sh<br />mail:x:8:8:mail:/var/mail:/bin/sh<br />news:x:9:9:news:/var/spool/news:/bin/sh<br />uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<br />proxy:x:13:13:proxy:/bin:/bin/sh<br />www-data:x:33:33:www-data:/var/www:/bin/sh<br />backup:x:34:34:backup:/var/backups:/bin/sh<br />list:x:38:38:Mailing List Manager:/var/list:/bin/sh<br />irc:x:39:39:ircd:/var/run/ircd:/bin/sh<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh<br />nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br />libuuid:x:100:101::/var/lib/libuuid:/bin/sh<br />richard:x:1000:1000:richard,,,:/home/richard:/bin/bash<br />sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin<br />ubuntu:~#<br />不是系统的 估计是伪造的<br />一些操作都记录到MYSQL数据库里面 链接看看<br /><img alt="" src="https://img.jbzj.com/file_images/article/201210/2012102514551218.png" />&nbsp;<br /><br />kippo@ubuntu:/opt/kippo$ mysql -u kippo -p<br />Enter password: <br />Welcome to the MySQL monitor.&nbsp; Commands end with ; or \g.<br />Your MySQL connection id is 41<br />Server version: 5.1.61-0ubuntu0.10.10.1-log (Ubuntu)<br />Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.<br />Oracle is a registered trademark of Oracle Corporation and/or its<br />affiliates. Other names may be trademarks of their respective<br />owners.<br />Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.<br />mysql&gt;<br />查下破解记录 <br />mysql&gt; use kippo; <br />Reading table information for completion of table and column names<br />You can turn off this feature to get a quicker startup with -A<br />Database changed<br />mysql&gt; select * from auth; <br />+----+----------------------------------+---------+----------+----------+---------------------+<br />| id | session&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | success | username | password | timestamp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />+----+----------------------------------+---------+----------+----------+---------------------+<br />|&nbsp; 1 | 0c592448143111e287c0000c299e3f14 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0 | root&nbsp;&nbsp;&nbsp;&nbsp; | dfsdfds&nbsp; | 2012-10-12 05:52:51 |<br />|&nbsp; 2 | 0c592448143111e287c0000c299e3f14 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | root&nbsp;&nbsp;&nbsp;&nbsp; | 123456&nbsp;&nbsp; | 2012-10-12 05:52:54 |<br />+----+----------------------------------+---------+----------+----------+---------------------+<br />2 rows in set (0.00 sec)<br />mysql&gt;<br />操作记录<br />mysql&gt; select * from input;<br />+----+----------------------------------+---------------------+-------+---------+-----------------------------+<br />| id | session&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | timestamp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | realm | success | input&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />+----+----------------------------------+---------------------+-------+---------+-----------------------------+<br />|&nbsp; 1 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:52:56 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | id&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />|&nbsp; 2 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:28 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | ls /&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />|&nbsp; 3 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:34 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | ls -la /&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />|&nbsp; 4 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:47 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | rm -rf /&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />|&nbsp; 5 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:53:50 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | ls -ls /&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />|&nbsp; 6 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:23 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | echo &quot;hacked by helen&quot; &gt; 1&nbsp; |<br />|&nbsp; 7 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:25 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | cat 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />|&nbsp; 8 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:31 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | echo &quot;hacked by helen&quot; &gt;&gt; 1 |<br />|&nbsp; 9 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:37 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | ls&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />| 10 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:39 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | ls&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />| 11 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:40 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | ls -la&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />| 12 | 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:54:41 | NULL&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | pwd&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />+----+----------------------------------+---------------------+-------+---------+-----------------------------+<br />12 rows in set (0.00 sec)<br />mysql&gt;<br />会话记录<br />mysql&gt; select * from sessions;<br />+----------------------------------+---------------------+---------------------+--------+----------------+----------+--------+<br />| id&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | starttime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | endtime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | sensor | ip&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | termsize | client |<br />+----------------------------------+---------------------+---------------------+--------+----------------+----------+--------+<br />| cb9ef50e143011e287c0000c299e3f14 | 2012-10-12 05:50:58 | NULL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | 192.168.71.129 | NULL&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp; NULL |<br />| df36bce6143011e287c0000c299e3f14 | 2012-10-12 05:51:31 | 2012-10-12 05:51:31 |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | 192.168.71.129 | NULL&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp; NULL |<br />| ec4e7748143011e287c0000c299e3f14 | 2012-10-12 05:51:53 | NULL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | 192.168.71.129 | NULL&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp; NULL |<br />| 0c592448143111e287c0000c299e3f14 | 2012-10-12 05:52:46 | NULL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 | 192.168.71.129 | 124x37&nbsp;&nbsp; |&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1 |<br />+----------------------------------+---------------------+---------------------+--------+----------------+----------+--------+<br />4 rows in set (0.00 sec)<br />mysql&gt;<br />
頁: [1]
查看完整版本: SSH蜜罐:kippo的详细介绍